The Samba-Bugzilla – Attachment 14932 Details for
Bug 13834
CVE-2019-3870 [SECURITY] pysmbd: missing restoration of original umask after umask(0)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Integration test to highlight the problem
integration-test-patch.txt (text/plain), 4.17 KB, created by
Tim Beale
on 2019-03-15 05:17:09 UTC
(
hide
)
Description:
Integration test to highlight the problem
Filename:
MIME Type:
Creator:
Tim Beale
Created:
2019-03-15 05:17:09 UTC
Size:
4.17 KB
patch
obsolete
>From 6db39d38c3b0fcbb7356d9592ff0ead6692c08ac Mon Sep 17 00:00:00 2001 >From: Tim Beale <timbeale@catalyst.net.nz> >Date: Fri, 15 Mar 2019 13:52:50 +1300 >Subject: [PATCH] tests: Add test to check file-permissions are correct after > provision > >This provisions a new DC and checks there are no world-writable >files in the new DC's private directory. > >Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> >--- > selftest/knownfail.d/provision_fileperms | 2 + > source4/selftest/tests.py | 1 + > source4/setup/tests/provision_fileperms.sh | 71 ++++++++++++++++++++++++++++++ > 3 files changed, 74 insertions(+) > create mode 100644 selftest/knownfail.d/provision_fileperms > create mode 100755 source4/setup/tests/provision_fileperms.sh > >diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms >new file mode 100644 >index 0000000..3d77be3 >--- /dev/null >+++ b/selftest/knownfail.d/provision_fileperms >@@ -0,0 +1,2 @@ >+samba4.blackbox.provision_fileperms.provision-fileperms\(none\) >+ >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index c6355f3..2c226ce 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -959,6 +959,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_default)", "ad_dc_default > plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")]) > plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision']) > plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision']) >+plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision']) > plantestsuite("samba4.blackbox.supported_features", "none", > ["PYTHON=%s" % python, > os.path.join(samba4srcdir, >diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh >new file mode 100755 >index 0000000..0b3ef03 >--- /dev/null >+++ b/source4/setup/tests/provision_fileperms.sh >@@ -0,0 +1,71 @@ >+#!/bin/sh >+ >+if [ $# -lt 1 ]; then >+cat <<EOF >+Usage: $0 PREFIX >+EOF >+exit 1; >+fi >+ >+PREFIX="$1" >+shift 1 >+ >+. `dirname $0`/../../../testprogs/blackbox/subunit.sh >+ >+# selftest sets the umask to zero. Explicitly set it to 022 here, >+# which should mean files should never be writable for anyone else >+ORIG_UMASK=`umask` >+umask 0022 >+ >+# checks that the files in the 'private' directory created are not >+# world-writable >+check_private_file_perms() >+{ >+ target_dir="$1/private" >+ result=0 >+ >+ for file in `ls $target_dir/` >+ do >+ filepath="$target_dir/$file" >+ >+ # skip directories/sockets for now >+ if [ ! -f $filepath ] ; then >+ continue; >+ fi >+ >+ # use stat to get the file permissions, i.e. -rw------- >+ file_perm=`stat -c "%A" $filepath` >+ >+ # then use cut to drop the first 4 chars containing the file type >+ # and owner permissions. What's left is the group and other users >+ global_perm=`echo $file_perm | cut -c4-` >+ >+ # check the remainder doesn't have write permissions set >+ if [ -z "${global_perm##*w*}" ] ; then >+ echo "Error: $file has $file_perm permissions" >+ result=1 >+ fi >+ done >+ return $result >+} >+ >+TARGET_DIR=$PREFIX/basic-dc >+rm -rf $TARGET_DIR >+ >+# create a dummy smb.conf - we need to use fake ACLs for the file system here >+# (but passing --option args with spaces in it proved too difficult in bash) >+SMB_CONF=$TARGET_DIR/tmp/smb.conf >+mkdir -p `dirname $SMB_CONF` >+echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF >+ >+# provision a basic DC >+testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF >+ >+# check the file permissions in the 'private' directory really are private >+testit "provision-fileperms" check_private_file_perms $TARGET_DIR >+ >+rm -rf $TARGET_DIR >+ >+umask $ORIG_UMASK >+ >+exit $failed >-- >2.7.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13834
:
14923
|
14928
|
14929
|
14930
|
14931
|
14932
|
14968
|
14985
|
14986
|
14987
|
14988
|
14989
|
14990
|
14995
|
15018
|
15029